So you've probably (hopefully) read about this, but I figured I'd summarize.

CVE-2022-0778 is an OpenSSL critical vulnerability that has been in the code a long time, but was recently found. It is fixed in the latest ITUGLIB builds, so you can feel safe there.

Simply, OpenSSL loads certificate parameters before doing the evaluation of whether they key exchange is possible. If a specific parameter is wrong - and this can be done deliberately either on a client or server, the OpenSSL BN_mod_sqrt() function can
go into a loop. This can be used as a DoS attack on a web server or can be used by a hostile redirect to crash a client, like an SSL-based POS device. Because this happens before the key exchange is done in TLS 1.2, a man-in-the-middle attack may not
succeed, but the edge device can still hang. It is entirely possible that this attack has been previously used by hackers trying to cause problems.

A surprising finding today - it is not my fault, I just found it, so do not shoot the messenger - is that this can also happen if you are using SSL signed content verification. Specifically, the openssl dgst command, with a key from an outside hostile
source. That good part is you can detect this if the verification process does not complete quickly or drops to priority 1. As with any OpenSSL key, be careful where you get your certificates, trust only who should be trusted, and maintain current and
hardened processes for maintaining your key stores.

Please upgrade your version of OpenSSL to 1.1.1n or 3.0.2 at a minimum (as of 2022-Mar-29, these are the latest builds). Disabling TLS 1.2, 1.1, and 1.0 may help to reduce the likelihood of hitting this problem, because TLS 1.3 handles kex differently,
but does not guarantee safety. If you need 1.0.2 patched, the fix is available from OpenSSL (with my help to apply it), but is not free - OpenSSL requires a premium support contract to get the fix - reply to me directly if you need help with that.

Also note that many other platforms do not have fixes in their update repositories for this CVE. Check your public systems carefully. We do know of some Linux distribution versions that are definitely vulnerable because the fixes are not available to
them by default - you might need that support contract I mentioned above.

Please be careful out there and do not ignore this CVE,
Randall Becker
On Behalf of the ITUGLIB Technical Committee

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)